Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable unauthenticated endpoint; nonce trivially extracted from public pages; confidentiality limited to SSRF-readable responses; no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.
AnalysisAI
Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (ftf-fediverse-embeds-nonce) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke file_get_html($site_url) with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.
Technical ContextAI
The vulnerability is rooted in CWE-918 (Server-Side Request Forgery) within the PHP-based Fediverse Embeds WordPress plugin (CPE: cpe:2.3:a:stefanbohacek:fediverse-embeds-wordpress-plugin). WordPress's wp_ajax_nopriv_ hook prefix registers AJAX actions that execute for unauthenticated (logged-out) users, and the plugin registered wp_ajax_nopriv_ftf_get_site_info in includes/Site_Info.php. This action accepted a caller-supplied site_url parameter and passed it directly to file_get_html() from the PHP Simple HTML DOM Parser library - a function that performs a full HTTP fetch of the supplied URL. The nonce check (ftf-fediverse-embeds-nonce) was bypassed in practice because includes/Enqueue_Assets.php (lines 41-46) and includes/Helpers.php (lines 64-83) enqueued this same nonce value into every public page rendering a fediverse embed. The fix in version 1.5.9 (commit 93821405790ccc7a80528e91b34b624606b54969) introduces Helpers::is_safe_url() and Helpers::is_safe_host() methods that enforce http/https scheme restrictions, resolve hostnames via DNS (A and AAAA records), and reject any destination resolving to private or reserved IP ranges using PHP's FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, preventing SSRF to internal network resources.
RemediationAI
Upgrade to Fediverse Embeds version 1.5.9 or later, which patches the vulnerability by adding Helpers::is_safe_url() and Helpers::is_safe_host() validation before any outbound fetch is performed - blocking private ranges, reserved IPs, and non-http(s) schemes. The fix is confirmed at commit 93821405790ccc7a80528e91b34b624606b54969 and the advisory is at https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/security/advisories/GHSA-cr42-rgq6-whjh. If immediate patching is not feasible, two compensating controls are available with trade-offs: (1) Disable the Fediverse Embeds plugin entirely - eliminates the attack surface completely but removes all embed functionality; (2) Implement egress firewall rules on the WordPress server blocking outbound HTTP/HTTPS to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) - this blocks the highest-impact SSRF targets (cloud metadata, internal APIs) but does not prevent SSRF to external hosts, and may require adjustment if the server legitimately needs those routes.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36270